Vijeo Designer
Plan Patch7.8SEVD-2024-254-01Sep 10, 2024
Attack VectorLocal
Auth RequiredLow
ComplexityLow
User InteractionNone needed
Summary
A privilege escalation vulnerability exists in Schneider Electric Vijeo Designer, HMI configuration software for Harmony and Magelis HMI devices. The vulnerability allows a local user with standard privileges to escalate to higher privileges and gain unauthorized access to HMI configuration files and workstation resources. Vijeo Designer version 6.3 SP1 and EcoStruxure Machine Expert version 2.3 contain fixes for this issue.
What this means
What could happen
An attacker with local access to an engineering workstation running Vijeo Designer could escalate privileges and gain unauthorized access to HMI configuration files, allowing modification of operator interface screens or process parameters.
Who's at risk
Operators and engineers at electric utilities and manufacturing facilities who use Schneider Electric's Vijeo Designer HMI configuration software on engineering workstations should apply this patch. The vulnerability affects HMI projects used to configure operator interface displays on Harmony and Magelis HMI devices.
How it could be exploited
An attacker with a user account on an engineering workstation running Vijeo Designer could exploit a privilege escalation vulnerability in the HMI software to gain elevated access. This could allow them to modify HMI configurations, alter display logic, or access sensitive plant data before deployment to production HMI devices like Harmony or Magelis units.
Prerequisites
- Local user account on engineering workstation running Vijeo Designer
- Vijeo Designer version earlier than 6.3 SP1 or EcoStruxure Machine Expert versions earlier than 6.3.2.16
- HMI project file access on the workstation
Local access requiredLow complexity exploitationAffects engineering workstationsPrivilege escalation possible
Exploitability
Low exploit probability (EPSS 0.1%)
Affected products (2)
2 with fix
ProductAffected VersionsFix Status
Vijeo Designer<6.3 SP16.3 SP1
EcoStruxure™ Machine ExpertAll versions6.3.2.16
Remediation & Mitigation
0/4
Schedule — requires maintenance window
0/2Patching may require device reboot — plan for process interruption
Vijeo Designer
HOTFIXUpdate Vijeo Designer to version 6.3 SP1 or later using the Schneider Electric Software Update (SESU) application
HOTFIXUpdate EcoStruxure Machine Expert to version 2.3 (which includes Vijeo Designer 6.3.2.16) if using the integrated Machine Expert suite
Long-term hardening
0/2Vijeo Designer
HARDENINGEnforce strong access controls and audit logging on engineering workstations where Vijeo Designer is installed
All products
HARDENINGRestrict local user accounts on engineering workstations to the minimum necessary privileges required for HMI development
CVEs (1)
↑↓ Navigate · Esc Close
API:
/api/v1/advisories/39d52e07-7f7a-4c7c-b3a2-96e3d8a11815